6.2 Patient Rights Under HIPAA

A privacy law that only restricts what organisations can do, without giving individuals any agency, is incomplete. The HIPAA Privacy Rule recognises this: alongside its rules on covered entities, it grants patients a set of enforceable rights over their own health information. Understanding these rights is the starting point for exercising them.

Right 1: Access your own records

Patients have the right to inspect and obtain a copy of their PHI held in a covered entity's designated record set — which typically means their medical records and billing records. Under the original Privacy Rule, covered entities had up to 60 days to respond (with one 30-day extension). A 2021 update by HHS tightened this: covered entities that maintain electronic health records must provide electronic copies within 15 business days, and the rule limits the fees they can charge to the reasonable cost of labour for producing the records, not a profit centre (45 CFR § 164.524; HHS, 2021). To make a request, submit a written request to the covered entity's privacy officer or medical records department.

Right 2: Amend your records

If you believe your health records contain incorrect or incomplete information, you may request an amendment. The covered entity has 60 days to respond (with one 30-day extension). They may deny the request on specific grounds — for instance, if they did not create the record or if they believe the record is accurate. If denied, you have the right to submit a statement of disagreement that must be included with any future disclosures of the disputed information (45 CFR § 164.526).

Right 3: Accounting of disclosures

You can request a list of disclosures your covered entity has made of your PHI during the prior six years — but not disclosures for TPO (treatment, payment, healthcare operations), which are the majority. The accounting covers disclosures such as those for law enforcement, public health purposes, or legal proceedings (45 CFR § 164.528).

Right 4: Request restrictions

You may request that a covered entity restrict certain uses or disclosures of your PHI. Covered entities are not generally required to agree — but there is a mandatory exception: if you pay out of pocket in full for a service, the covered entity must honour your request not to disclose information about that service to your health plan (45 CFR § 164.522).

Right 5: Confidential communications

Patients may request that a covered entity contact them by a specific means or at a specific location — for example, requesting that appointment reminders be sent only to a personal mobile number, not a home phone (45 CFR § 164.522). Covered entities must accommodate reasonable requests without requiring an explanation.

What to do if denied

If a covered entity refuses to honour your rights, you may file a complaint with the HHS Office for Civil Rights (OCR). The OCR investigates complaints and can impose civil monetary penalties ranging from $100 to$100to50,000 per violation, with an annual cap of $1.9 million per violation category (45 CFR § 160.404). Filing a complaint dös not require a lawyer.

Your takeaway

Know your six rights: access, amendment, accounting of disclosures, restriction requests, and confidential communications — plus the right to complain to OCR. These rights give you meaningful leverage over your health data held by US healthcare providers.